Method for verifying information

ABSTRACT

A method for verifying information includes receiving a proof for a function to be evaluated from a proofer which has computed an output of the function. The proof is based on an evaluation key generated based on the function and a security parameter. Validity of the proof is verified based on a verification key generated based on the function and the security parameter. The function is defined as a mapping between matrix groups over a finite field and encoded into a polynomial that is described and implemented as an arithmetic circuit. The function to be evaluated is encoded such that the polynomial is a trace of a difference between the product of left and right input matrix polynomials of all gates of the arithmetic circuit and the output matrix polynomial of all gates of the arithmetic circuit.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No. 15/562,904 filed on Sep. 29, 2017 as a U.S. National Stage Application under 35 U.S.C. § 371 of International Application No. PCT/EP2015/057084 filed on Mar. 31, 2015. The International Application was published in English on Oct. 6, 2016, as WO 2016/155804 A1 under PCT Article 21(2). The entire disclosure of each of the foregoing applications is hereby incorporated by reference herein.

FIELD

The present invention relates to a method for verifying information, for example in a cloud computing system. The present invention further relates to a computing system, for example cloud computing system for verifying information.

BACKGROUND

Verifiable computation refers in general to a cryptographic protocol running between two parties, a proofer P and verifier V, with the aim to compute a proof or certificate of computation that a party given a function f and holding some potentially private input x has computed f(x). The cryptographic guarantees of the system are:

-   -   Completeness: An honest proofer P computing f(x) from f and x         convinces with overwhelming probability a verifier V of the fact         that f(x) is computed properly.     -   Soundness: A cheating proofer P having computed f′(x′) not being         equal to f(x) succeeds with negligible probability to convince         the verifier of having computed f(x).     -   Input Privacy (Zero-Knowledge): A malicious verifier V learns no         information about the input x other than the fact that the         proofer computed x.     -   Function Privacy: The description of function f can be generated         by a third party or jointly computed with a multi-party         computation protocol such that the verifier does not learn f.     -   Knowledgeably: The only way of having computed f(x) given f is         by knowing the input x. In fact that means, x must have been         stored in the memory of the proofer while computing the proof.

A possible setting demonstrating verifiable computation is cloud computing, as illustrated in FIG. 1 . Here a resource-constraint device outsources a computational task to some powerful cloud and wishes the assurance of the correct computation.

One important application of verifiable computation is the evaluation of the quality of large data sets. Many service providers, e.g. social network providers, Internet and mobile network providers have access to huge amount of data and want to monetize their knowledge. Most importantly are statistics over data sets, such as consume or location behaviour. Verifiable computation allows a party to prove the correct computation of the statistics and probe the “quality of data” without revealing already the inputs. Depending on the quality the provider A1 can offer a price. The soundness property gives the buyer A5 the guarantee that the statistics were inferred over n data sets. The zero-knowledge property ensures that the buyer A5 learns nothing about the data entries.

In the non-patent literature of George Danezis, Cedric Fournet, Jens Groth, and Markulf Kohlweiss, “Square span programs with applications to succinct nizk arguments”, Cryptology ePrint Archive, Report 2014/718, 2014, http://eprint.iacr.org/ and Helger Lipmaa, “Succinct non-interactive zero knowledge arguments from span programs and linear error-correcting codes”, Cryptology ePrint Archive, Report 2013/121, 2013, http://eprint.iacr.org/ a span program was disclosed enabling a verification of Boolean functions.

In the further non-patent literature of Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova, “Quadratic span programs and succinct nizks without pcps”, Cryptology ePrint Archive, Report 2012/215, 2012, http://eprint.iacr.org/ a verification of arithmetic functions was disclosed based on quadratic arithmetic programs, ‘QAP’ which detailed implementation was disclosed in the non-patent literature of Gentry and Parno, available under http://research.microsoft.com/pubs/180286/Pinocchio.pdf. Said method was applied to verify random access machine programs as disclosed in the non-patent literature of Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza, “Succinct non-interactive zero knowledge for a von neumann architecture”, Cryptology ePrint Archive, Report 2013/879, 2013, http://eprint.iacr.org/.

Further in the non-patent literature of Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy, “Proof verification and the hardness of approximation problems”, pages 501-555, 1998 probabilistic checkable proof systems are disclosed being proof systems with a 2-sided error. However, these systems are impractical, i.e. far away from practice.

In the non-patent literature of Yihua Zhang and Marina Blanton, “Efficient secure and verifiable outsourcing of matrix multiplications”, Cryptology ePrint Archive, Report 2014/133, 2014, http://eprint.iacr.org/ and the related work mentioned therein proof systems are disclosed only addressing very special cases.

SUMMARY

In an embodiment, the present invention provides a method for verifying information. The method includes receiving a proof for a function to be evaluated from a proofer which has computed an output of the function. The proof is based on an evaluation key generated based on the function and a security parameter. Validity of the proof is verified based on a verification key generated based on the function and the security parameter. The function is defined as a mapping between matrix groups over a finite field and encoded into a polynomial that is described and implemented as an arithmetic circuit. The function to be evaluated is encoded such that the polynomial is a trace of a difference between the product of left and right input matrix polynomials of all gates of the arithmetic circuit and the output matrix polynomial of all gates of the arithmetic circuit.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be described in even greater detail below based on the exemplary figures. The invention is not limited to the exemplary embodiments. All features described and/or illustrated herein can be used alone or combined in different combinations in embodiments of the invention. The features and advantages of various embodiments of the present invention will become apparent by reading the following detailed description with reference to the attached drawings which illustrate the following:

FIG. 1 shows a conventional cloud computing scenario;

FIG. 2 shows steps of a method according to an embodiment of the present invention;

FIG. 3 shows steps of a method according to an embodiment of the present invention; and

FIG. 4 shows a computing system according to an embodiment of the present invention.

DETAILED DESCRIPTION

Conventional methods for verifiable computation have significant problems. One problem is the computational cost of the verifier: The verifier approves correct computation. The verifier may simply compute the corresponding function alone and cross-check the results. However, if the complexity of computing is high and/or the size of the input x is large, for example the data base of billions of entries, or the input x has to be kept private, the trivial solution of self-computing them for verification is not applicable. Another problem is the limited flexibility in terms of which functions can be verified as well as in terms of applicability in different fields.

Embodiments of the present invention provide methods and systems for verifying information that reduce the computational costs of a verifier. In particular, embodiments of the present invention provide methods and systems for verifying information that enable a verifier to spend time resources sublinear to those of a proofer, i.e. providing a method and a system for verifying information being ‘succinct.’

Embodiments of the present invention further provide a method and a system for verifying information which can be easily applied in different fields and allow for verification of information in particular in form of any polynomial function.

According to an embodiment, a method for verifying information is provided, e.g. in a cloud computing system, the method comprising, by means of one or more computation devices: generating an evaluation key and a verification key in a memory available to at least one of said computation devices based on a security parameter and a function to be evaluated by a key generator, computing an output of said function using an input in a memory available to at least one of said computation devices computing a proof for said outcome using said evaluation key in a memory available to at least one of said computation devices, and verifying if said proof is valid based on said verification key in a memory available to at least one of said computation devices, wherein said function is defined as a mapping between matrix groups over a finite field and encoded into a polynomial in a memory available to at least one computation device.

According to an embodiment, a computational system is provided comprising one or more computation devices communicating with each other and being operable and configured to: generate an evaluation key and a verification key in a memory available to at least one of said computation devices based on a security parameter and a function to be evaluated by a key generator, to compute an output of said function using an input in a memory available to at least one of said computation devices, to compute a proof for said outcome using said evaluation key in a memory available to at least one of said computation devices, and to verify if said proof is valid based on said verification key in a memory available to at least one of said computation devices, wherein said function is defined as a mapping between matrix groups over a finite field and encoded into a polynomial in a memory available to at least one computation device.

Although applicable to any kind of method or system for verifying information in general, the present invention will be described with regard to so-called verifiable computation.

Embodiments of the invention can significantly enhance flexibility for many computational models including linear programming, quadratic programming, convex programming and non-linear programming the present invention can be applied when the underlying functions are defined by polynomials over matrix groups. Embodiments of the present invention can be useful inter alia in machine learning, privacy-preserving computation of statistics, benchmarking verification, etc.

By performing the computations on matrix groups over fields, embodiments of the present invention can reduce the encoding of the computation from O(q³) polynomials to O(q²) polynomials.

Embodiments of the present invention can provide proofs that are probabilistically checkable.

Embodiments of the present invention can be more general and flexible compared with conventional methods and systems allowing computation of any polynomial-size function defined over a matrix group.

Embodiments of the present invention have a very wide area of applicability and can in particular be connected to vector computing where owner of big data centers can host outsourced computational power.

According to a preferred embodiment the function is encoded such that a target polynomial is generated being an element of said finite fields over the input which always divides said polynomial.

According to a further preferred embodiment the polynomial is described and implemented as an arithmetic circuit.

According to a further preferred embodiment the polynomial is the trace of a difference between the product of left and right input matrix polynomials of all gates of said arithmetic circuit and the output matrix polynomial of all gates of said arithmetic circuit.

According to a further preferred embodiment said input and output matrix polynomials are randomly shifted, ‘MP-S’, preferably by adding a product of said target polynomial with a random number to said input and output matrix polynomials.

According to a further preferred embodiment when computing said outcome a second polynomial is used with the input and same random information which is used for generating said keys.

According to a further preferred embodiment the proof is computed using said ‘MP-S’ dependent from said random information.

According to a further preferred embodiment for verifying said validity of the proof the correct structure of the arithmetic circuit is checked.

According to a further preferred embodiment for verifying said validity of the proof it is checked whether the target polynomial divides said MP-S.

According to a further preferred embodiment for verifying said validity of the proof the linear combinations computed over said MP-S are checked if they are in their corresponding spans.

According to a further preferred embodiment said input is private.

FIG. 1 shows a conventional cloud computing scenario. In FIG. 1 a provider A1 of the data sends data to a computation provider A3, i.e. a proofer. A function provider A2 sends a function to be computed also to the computation provider A3. The computation provider A3, for example a computation facility, performs computation of the provided function. The result of the computation is sent to a user A4 for further evaluation of the result. The computation provider A3 further sends a proof to a verifier A5 which then needs to verify the result of the function by verifying the received proof.

FIG. 2 shows a part of steps of a method according to a first embodiment of the present invention. In FIG. 2 an interaction between proofer P and verifier V to verify the computation of a function f(x) is shown. In the following definitions and notations are given: [q]=1, . . . , q denotes the set of integers between 1 and q, and [q₀, q₁]=q₀, . . . , q₁ denotes the interval between q₀ and q₁. M _(q)(

)=

_(q)(

_(p))⊆

_(p) ^(q×q)

Is the set of q×q matrices A=(a_(ij)) with elements a_(ij)∈F_(p). The identity matrix is denoted by I_(q) where all element on the diagonal are 1 and the rest are zero. The transpose of the matrix is indicated by A^(T)=(au) and the multiplication of two matrices A, B∈M_(q)(F):M_(q)(F)∈M_(q)(F)→M_(q)(F) is defined as

${AB} = \left( {\sum\limits_{k \in {\lbrack q\rbrack}}{a_{ik}b_{kj}}} \right)$ and A*B∈M_(q)(F) denotes the element-wise multiplication, i.e. A*B=(a _(ij) b _(ij)),∀i,j∈[q] g is a generator of a group G of order p. Then g^(A) denotes (g ^(a) ^(ij) )_(i,j∈[q]) ∈M _(q)(

) Further A, B∈M_(q)(F_(p)), then (g^(A))^(B) denotes g^(A*B)=∈G^(q×q) with i,j∈[q].

In the following the definition of a trace is given: A∈G^(q×q) is a square matrix. The trace of said matrix A, denoted as Tr{A}, is then defined as the linear operation Σ_(i=1) ^(q) =A _(ii) The trace induces an inner product <,> in F^(q×q). If A, B∈F^(q×q) then <A, B>=Tr{A^(T)B}, where A^(T) is the transpose matrix of A. B(F^(q×q))={X_(i)∈F^(q×q), i∈[q²]} is a set of q matrices, where for every matrix X _(i) ={x _(jk) ^(i)}_(j,k∈[q]) such that x^(i) _(jk)=1 if (j−1)q+k=i, and 0 otherwise then B(F^(q×q)) is a basis of F^(q×q). This can be seen by inspection, A=Σ _(i∈[q) ₂ _(]) a _(i) X _(i) for some {a_(i)∈F, i∈[q²]}. Actually a_(i) is the value of matrix A where the element of X_(i) is non-zero. When A∈F^(q×q) is a matrix and X_(i)∈B(F^(q×q)) is a basis then A=Σ_(i∈[q) ₂ _(])a_(i)X_(i), where a_(i)=Tr{X^(T) _(i)A}, which can be seen from the following: The matrix product X^(T) _(i)A yields a matrix with the j-th row comprising the k-th row of A. The diagonal element is the (j, k)-th element of the original matrix A. Thus the operation of Tr{X^(T) _(i)A}=a_(jk). This is due to the fact that Tr{X^(T)A}=<X,A> is the inner product in the space of F^(q×q) and using the expansion theorem: A=Σi<X_(i),A>X_(i).

The previous considerations simply state that the set of matrices X_(i) can be used to sample the original matrix A. From an information-theoretic point of view A and {Tr{X^(T) _(i) A}, i∈[q²], X_(i)∈B(F^(q×q))} are equivalent.

In the following the quadratic arithmetic programs, ‘QAP’, according to the non-patent literature of Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova, “Pinocchio: Nearly practical verifiable computation” in Security and Privacy (SP), 2013 IEEE Symposium on, pages 238-252, IEEE, 2013 or Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova, “Quadratic span programs and succinct nizks without pcps”, in Advances in Cryptology-EUROCRYPT 2013, pages 626-645, Springer, 2013 are shown. QAPs are a way to encode a function described as an arithmetic circuit into a polynomial described by a set of polynomials for every wire of the arithmetic circuit. The quadratic arithmetic program QAP according to the non-patent literature of Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova, “Quadratic span programs and succinct nizks without pcps”, in Advances in Cryptology-EUROCRYPT 2013, pages 626-645, Springer, 2013 is shown as follows: A QAP Q over a field F comprises three sets of m+1 polynomials V={v_(k)(x)}, W={w_(k)(x)}, Y={y_(k)(x)}, for k∈[m+1] and a target polynomial t(x). Further F is a function from F^(n) to F^(n′) and N=n+n′. Q “computes” F if there exists c∈F^(m) such that (c₁, . . . , c_(n)) is the input, (c_(n+1), . . . , c_(N)) is the output and t(x) divides p(x), where

${p(x)} = {{\left( {{v_{0}(x)} + {\sum\limits_{k \in {\lbrack m\rbrack}}{c_{k}{v_{k}(x)}}}} \right)\left( {{w_{0}(x)} + {\sum\limits_{k \in {\lbrack m\rbrack}}{c_{k}{w_{k}(x)}}}} \right)} - \left( {{y_{0}(x)} + {\sum\limits_{k \in {\lbrack m\rbrack}}{c_{k}{y_{k}(x)}}}} \right)}$ Since t(x) divides p(x), there exists a polynomial h(x), such that p(x)=h(x)t(x).

Building a QAP Q for an arithmetic circuit C is performed as follows: an arbitrary root r_(g)∈F is picked for each multiplication gate g in C and the target polynomial is defined to be t(x)=Π_(g)(x−r_(g)). An index k∈[m]={1, . . . , m} to each input of the circuit and to each output from a multiplication gate of said circuit, wherein the addition gates will be compressed into their contributions to the multiplication gates. Finally the polynomials in V, W, and Y are defined by letting the polynomials in V encode the left input into each gate, the W encode the right input into each gate, and the Y encode the outputs. For example, v_(k)(r_(g))=1 if the k^(th) wire is a left input to gate g, and v_(k)(r_(g))=0 otherwise. Similarly, y_(k)(r_(g))=1 if the k^(th) wire is the output of gate g, and y_(k)(r_(g))=0 otherwise. Thus, if a particular gate g and its root r_(g) is considered, the above equation simplifies to:

${\left( {\sum\limits_{k = 0}^{m}{c_{k}{y_{k}\left( r_{g} \right)}}} \right) = {\left( {\sum\limits_{k = 0}^{m}{c_{k}{v_{k}\left( r_{g} \right)}}} \right)\left( {\sum\limits_{k = 0}^{m}{c_{k}{\omega_{k}\left( r_{g} \right)}}} \right)}}{\left. c_{output} \middle| g \right. = \left. {c_{left} \cdot c_{right}} \middle| g \right.}$ which says that the output value of the gate is equal to the product of its inputs, the very definition of a multiplication gate. In short, the divisibility check that t(x) divides p(x) decomposes into deg(t(x)) separate checks, one for each gate g and root r_(g) of t(x), that p(r_(g))=0.

In the following a public verifiable computation method according to the non-patent literature of Rosario Gennaro, Craig Gentry, and Bryan Parno, “Non-interactive verifiable computing: Outsourcing computation to untrusted workers”, in Advances in Cryptology—CRYPTO 2010, pages 465-482, Springer Berlin Heidelberg, 2010 is shown. Such a public verifier computation is also disclosed in the non-patent literature of Bryan Parno, Mariana Raykova, and Vinod Vaikuntanathan, “How to delegate and verify in public: Verifiable computation from attribute-based encryption”, in Theory of Cryptography, pages 422-439, Springer, 2012.

When F is a function to be outsourced and u the input and y=F(u) the associated output then a public verifiable computation scheme VC comprises of a set of three polynomial-time algorithms VC=(KeyGen, Compute, Verify), defined as follow

-   -   (EK_(F), VK_(F))←KeyGen(F, 1^(λ)): Taking as input the function         F to be evaluated and a security parameter λ, the procedure         generates/computes the evaluation key EK_(F) and the         verification key VK_(F)     -   (y, π_(y))←Compute(EK_(F), x): The worker computes the output         y=F(x) and the proof π_(y) using the evaluation key EK_(F) and         the (private) input x     -   {0, 1}←Verify(VK_(F), y, π_(y)): from the verification keys         VK_(F) and the proof π_(y), the verifier checks whether π_(y) is         a valid proof for having computed F(x)=y

In the following in more detail an embodiment of the present invention is described:

-   -   1. Said embodiment of the present invention provides an encoding         for efficiently verifying the computation of matrix         multiplication and additions wherein the encoding following         conventional QAP is called here the quadratic matrix program,         ‘QMP’. QAPs are defined over a finite field F_(p) of (prime)         order p. The matrix group over the field F_(p) is not         commutative, so it is not a field by itself. The results are         extended to this context. This allows us to greatly simplify the         QAP when matrix operations are involved.     -   2. Further a cryptographic protocol to verify the computation of         QMPs, illustrated in FIG. 2 is given.

In the following a variant of QAPs with the property of probabilistically checking the computation of function F is described. The QMP is sampled by means of a matrix X and then compute the trace in order to get a polynomial p(x, X)=h(x, X)t(x). A QMP Q over a matrix group M_(q)(I_(p)) over the field F_(p) comprises three sets of m+1 matrix polynomials V={V_(k)(x)}, W={W_(k)(x)}, Y={Y_(k)(x)}, for k∈[m+1], where V_(k)(x), W_(k)(x), Y_(k)(x)∈M_(q)(F_(p)[x]) and a target matrix polynomial t(x)∈F_(p)[x]. F is defined as a function from M_(q)(F_(p))^(n) to M_(q)(F_(p))^(n′) and let N=n+n′. Q “computes” F if there exist coefficients C∈M_(q)(F_(p)) such that (C₁, . . . , C_(N)) is an assignment of the input and output wires, and if there exist coefficient matrices (C_(N+1), . . . , C_(m)) such that for every X∈M_(q)(F_(p)) it holds that t(x) divides p(x, X), where

$\begin{matrix} {{p\left( {x,X} \right)} = {{Tr}\left\{ {X^{T}\left( {{V_{0}(x)} + {\sum\limits_{k \in {\lbrack m\rbrack}}{C_{k}*{V_{k}(x)}{))}\left( {{W_{0}(x)} + {\sum\limits_{k \in {\lbrack m\rbrack}}{C_{k}*{W_{k}(x)}}}} \right)}} - {X^{T}\left( {{Y_{0}(x)} + {\sum\limits_{k \in {\lbrack m\rbrack}}{C_{k}*{Y_{k}(x)}}}} \right)}} \right.} \right\}}} \\ {= {{Tr}\left\{ {X^{T}\left( {{{V(x)}{W(x)}} - {Y(x)}} \right)} \right\}}} \\ {= {{Tr}\left\{ \left( {{{V(x)}{W(x)}X^{T}} - {{Y(x)}X^{T}}} \right) \right\}}} \\ {= {{{Tr}\left\{ \left( {{V(x)}{W(x)}X^{T}} \right) \right\}} - {{Tr}\left\{ \left( {{Y(x)}X^{T}} \right) \right\}}}} \\ {= {{{Tr}\left\{ \left( {{V(x)}{W^{*}(x)}} \right) \right\}} - {{Tr}\left\{ \left( {Y^{*}(x)} \right) \right\}}}} \end{matrix}$ where V_(k)(x), W_(k)(x), Y_(k)(x) are matrix polynomials of the form

${{V_{k}(x)} = {\sum\limits_{i \in L_{k}}{V_{ki}{\delta\left( {x,r_{i}} \right)}}}}{{W_{k}(x)} = {\sum\limits_{i \in R_{k}}{W_{ki}{\delta\left( {x,r_{i}} \right)}}}}{{Y_{k}(x)} = {\sum\limits_{i \in O_{k}}{Y_{ki}{\delta\left( {x,r_{i}} \right)}}}}$ with L_(k), R_(k), O_(k) is the set of left, right and output gates in which the connection k is active. The delta functions are here the Lagrange polynomial

${\delta\left( {x,r_{i}} \right)} = {{l_{i}(x)} = {\Pi_{j \in {\lbrack d\rbrack}}\frac{\left( {x - r_{j}} \right)}{\left( {r_{i} - r_{j}} \right)}}}$ Since t(x) divides p(x, X), there exists a polynomial h(x, X), such that p(x, X)=h(x, X)t(x).

In the following a verifiable computation method allowing to verify a computation of a function is shown. One of the steps of this method is the encoding of the function as so-called pcQMP. The steps as mentioned with QAP, i.e. the key generation, the computation and the verification are also described in more detail for this embodiment of the present invention:

In the following F: M(F)^(n)→M(F)^(n′) is the verification function of an outsourced operation, where N=n+n′, F_(p) is a field and M(F_(p)) is the group of matrices on the field F_(p) and further the associated pcQMP is Q=(t(x), V, W, Y) of size m and degree d associated with F. Further I_(mid)=[N+1, m] and N_(i0)=[N], that corresponds to the indexes associated with the internal state of the arithmetic circuit or the input and output, while I₀=[n] and I₁=[n+1, n′] are the indexes associated with the input and output connection of the circuit. e:G×G→G_(T) is a non-trivial bilinear map and g a generator of G.

In the following the key generation is described in more detail: (EK_(F), VK_(F)) KeyGen(F, 1^(λ)): starting from the function F the associated pcQMP is generated for some random sample S←M_(q)(F_(p)). Slightly abusing notation, it is assumed that the polynomials in W and Y are randomly shuffled, i.e. W_(k)=W_(k)S for every W_(k)∈W and similarly for the polynomials in Y. The procedure then selects some random elements r_(v), r_(w), s, α_(v), α_(w), α_(y), β, γ←F_(p) and sets r_(y)=r_(v) r_(w), g_(v)=g^(nv), g_(w)=g^(rw) and g_(y)=g^(ry). The evaluation key EKE is generated according to

EK_(F) = ({g_(v)^(V_(k)(s))}_(k ∈ I_(mid)), {g_(w)^(W_(k)(s))}_(k ∈ I_(mid)), {g_(y)^(Y_(k)(s))}_(k ∈ I_(mid)), {g_(v)^(α_(v)V_(k)(s))}_(k ∈ I_(mid)), {g_(w)^(α_(w)W_(k)(s))}_(k ∈ I_(mid)), {g_(y)^(α_(y)Y_(k)(s))}_(k ∈ I_(mid)), {g^(s^(i))}_(i ∈ [d]), {g_(v)^(βV_(k)(s))g_(w)^(βW_(k)(s))g_(y)^(βY_(k)(s))}_(i ∈ [d])) while the verification key is set as

VK_(F) = (g, g^(α_(v)), g^(α_(w)), g^(α_(y)), g^(γ), g^(β_(γ)), g_(y)^(t(s)), {g_(v)^(V_(k)(s)), g_(w)^(W_(k)(s)), g_(y)^(Y_(k)(s))}_(k ∈ {0}U[N])

In the following the Computation of F is described in more detail: (y, π_(y)) Compute(EK_(F), x): The worker computes y=F(x), using the coefficient of the pcQMP {C_(i)}_(ie[m]) and then resolve for h(x, S) such that p(x, S)=h(x, S)t(x) and computes the proof as

π_(y) = (g_(v)^(V_(mid(s))), g_(w)^(W_(mid(s))), g_(y)^(Y_(mid(s))), g^(h(s)), g^(V_(mid)^(′)) = g_(v)^(α_(v)V_(mid(s))), g^(W_(mid)^(′)) = g_(w)^(α_(w)W_(mid(s))), g^(Y_(mid)^(′)) = g_(y)^(α_(y)Y_(mid(s))), g^(z) = g_(v)^(βV_(mid(s)))g_(w)^(βW_(mid(s)))g_(v)^(βY_(mid(s)))) where V_(mid)(X)=Σ_(k∈Imid)C_(k)*V_(k)(x), V(x)=V₀(x)+Σ_(k∈[m])C_(k)*V_(k)(X), W(X)=W₀(X)+Σ_(k∈[m])C_(k)*W_(k)(x) and Y(s)=Y₀(x)+Σ_(k∈[m])C_(k)*Y_(k)(s). The computation is done directly in the exponent, e.g.

ℊ^(V(s)) = ℊ^(V₀(s))∏_(k ∈ [m])(ℊ^(V_(k)(s)))^(C_(k))

In the following the verification is described in more detail:

-   -   (0, 1)←Verify(VK_(F), x, y, π_(y)): The verifier checks using         the bilinear map e and the verification key VK_(F), if:         -   QAP C satisfies the divisibility check: Compute from the             verification key VK_(F)g_(υ) ^(V) ^(io(s)) =Π_(k∈[N])(g_(υ)             ^(V) ^(k(s)) )^(C) ^(k) (and similarly for g_(w) ^(W)             ^(io(s)) and g_(y) ^(Y) ^(io(s)) ) and check:

Tr{e(g_(v)^(V₀(s))g_(v)^(V_(io)(s))g_(v)^(V_(mid)(s)), g_(w)^(W₀(s))g_(w)^(W_(io)(s))g_(v)^(W_(mid)(s)))} = e(g_(y)^(t(s)), g_(y)^(h(s, S)))Tr{e(g_(y)^(Y₀(s))g_(y)^(Y_(io)(s))g_(y)^(Y_(mid)(s)), g)}

-   -   -   Check that the linear combinations computed over V, W and Y             are in their appropriate spans:

e(g_(v)^(V_(mid)^(′)), g) = e(g^(V_(mid)), g^(α_(v))), e(g_(w)^(W_(mid)^(′)), g) = e(g^(W_(mid)), g^(α_(w))), e(g_(y)^(Y_(mid)^(′)), g) = e(g^(Y_(mid)), g^(α_(y)))

-   -   -   Check that the same coefficients were used in each of the             linear combination over V, W, and Y:

e(g^(z), g^(y)) = e(g_(v)^(V_(mid))g_(w)^(W_(mid))g_(y)^(Y_(mid)), g^(βγ))

FIG. 3 shows steps of a method according to a second embodiment of the present invention. In FIG. 3 steps of a method for verifying information are shown. The method comprising by means of one or more computation devices the following steps: The first step S1 comprises generating an evaluation key and a verification key in a memory available to at least one of said computation devices based on a security parameter and a function to be evaluated by a key generator. The second step S2 comprises computing an output of said function using an input in a memory available to at least one of said computation devices. The third step S3 comprises computing a proof for said outcome using said evaluation key in a memory available to at least one of said computation devices, and the fourth step S4 comprises verifying if said proof is valid based on said verification key in a memory available to at least one of said computation devices, wherein said function is defined as a mapping between matrix groups over a finite field and encoded into a polynomial in a memory available to at least one computation device. These steps may be performed by different computation devices or computing entities.

FIG. 4 shows a computing system according to a third embodiment of the present invention. In FIG. 4 a computing system comprising a plurality of computation devices CD1, CD2, CD3, CD4 are shown. The first computation device CD1 is configured to generate an evaluation key and verification key in a memory available to at least one of said computation devices based on a security parameter and a function to be evaluated by a key generator.

The second computation device CD2 is configured to compute an output of said functional using an input in a memory available to at least one of said computation devices.

The third computation device CD3 is configured to compute a proof for said outcome using said evaluation key in a memory available to at least one of said computation devices.

The fourth computation device CD4 is configured to verify if said proof is valid based on said verification key in a memory available to at least one of said computation devices, wherein either computation devices CD1, CD2, CD3, CD4 said function is defined as a mapping between matrix groups over a finite field and encoded into a polynomial in a memory available to at least one computation device.

According to an embodiment of the present invention: a verification paradigm over matrix group that allows to verify a polynomial evaluation efficiently. Conventional methods can be applied to matrix polynomials but not natively in the group of Matrix, since the matrix group is not commutative. In particular the trick to verify computation over Matrix groups is to compute the trace to define an inner product inside the matrix group; and a construction of sampling matrices reducing the complexity to constant time with respect to the matrix group size. In particular the trick here is that the sampling can be of special shape in order to reduce computational complexity.

Embodiments of the present invention can enable an implementation of a complex matrix problem over a cloud system leaving to the verifier constant time verification problem which is practical for all polynomial time-computable functions.

While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive. It will be understood that changes and modifications may be made by those of ordinary skill within the scope of the following claims. In particular, the present invention covers further embodiments with any combination of features from different embodiments described above and below.

The terms used in the claims should be construed to have the broadest reasonable interpretation consistent with the foregoing description. For example, the use of the article “a” or “the” in introducing an element should not be interpreted as being exclusive of a plurality of elements. Likewise, the recitation of “or” should be interpreted as being inclusive, such that the recitation of “A or B” is not exclusive of “A and B,” unless it is clear from the context or the foregoing description that only one of A and B is intended. Further, the recitation of “at least one of A, B and C” should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise. Moreover, the recitation of “A, B and/or C” or “at least one of A, B or C” should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C. 

What is claimed is:
 1. A method for verifying information, the method comprising: receiving a proof for a function to be evaluated from a proofer which has computed an output of the function, the proof being based on an evaluation key generated based on the function and a security parameter; and verifying validity of the proof based on a verification key generated based on the function and the security parameter, wherein the function is defined as a mapping between matrix groups over a finite field and encoded into a polynomial that is described and implemented as an arithmetic circuit, and wherein the function to be evaluated is encoded such that the polynomial is a trace of a difference between the product of left and right input matrix polynomials of all gates of the arithmetic circuit and the output matrix polynomial of all gates of the arithmetic circuit.
 2. The method according to claim 1, wherein the function to be evaluated is encoded such that a target polynomial is generated belonging to the finite field over the input which always divides the polynomial.
 3. The method according to claim 2, wherein the input and output matrix polynomials are randomly shifted by adding a product of the target polynomial with a random number to the input and output matrix polynomials.
 4. The method according to claim 3, wherein the proof has been computed using the randomly shifted input and output matrix polynomials dependent from the random number.
 5. The method according to claim 3, wherein verifying the validity of the proof includes checking whether the target polynomial divides the randomly shifted input and output matrix polynomials.
 6. The method according to claim 3, verifying the validity of the proof includes checking linear combinations computed over the randomly shifted input and output matrix polynomials to determine whether the linear combinations are in corresponding spans.
 7. The method according to claim 1, wherein the function has been computed using a second polynomial, a private input and random information which was used for generating the evaluation key and the verification key.
 8. The method according to claim 7, wherein the proofer and a verifier which verifies the validity of the proof are computation devices in a cloud computing environment.
 9. The method according to claim 1, wherein verifying the validity of the proof includes checking whether the arithmetic circuit has a correct structure.
 10. The method according to claim 1, wherein the evaluation key and the verification key are generated by a verifier that verifies the validity of the proof.
 11. A verifier for verifying information comprising a computation device including one or more processors and access to memory which is configured to facilitate execution of the following steps: receiving a proof for a function to be evaluated from a proofer which has computed an output of the function, the proof being based on an evaluation key generated based on the function and a security parameter; and verifying validity of the proof based on a verification key generated based on the function and the security parameter, wherein the function is defined as a mapping between matrix groups over a finite field and encoded into a polynomial that is described and implemented as an arithmetic circuit, and wherein the function to be evaluated is encoded such that the polynomial is a trace of a difference between the product of left and right input matrix polynomials of all gates of the arithmetic circuit and the output matrix polynomial of all gates of the arithmetic circuit.
 12. The verifier according to claim 11, wherein the function to be evaluated is encoded such that a target polynomial is generated belonging to the finite field over the input which always divides the polynomial.
 13. The verifier according to claim 12, wherein the input and output matrix polynomials are randomly shifted by adding a product of the target polynomial with a random number to the input and output matrix polynomials.
 14. The verifier according to claim 13, wherein the proof has been computed using the randomly shifted input and output matrix polynomials dependent from the random number.
 15. The verifier according to claim 13, wherein verifying the validity of the proof includes checking whether the target polynomial divides the randomly shifted input and output matrix polynomials.
 16. The verifier according to claim 13, verifying the validity of the proof includes checking linear combinations computed over the randomly shifted input and output matrix polynomials to determine whether the linear combinations are in corresponding spans.
 17. The verifier according to claim 11, wherein the function has been computed using a second polynomial, a private input and random information which was used for generating the evaluation key and the verification key.
 18. The verifier according to claim 11, wherein the verifier is part of a cloud computing environment.
 19. The verifier according to claim 11, wherein verifying the validity of the proof includes checking whether the arithmetic circuit has a correct structure.
 20. The verifier according to claim 11, wherein the verifier is further configured to generate the evaluation key and the verification key. 